Darkleech is back. Or maybe it never left. Either way, it's a growing problem.

A campaign that forces sites running the Apache Web server to install highly malicious software on visitor's PCs has compromised more than 40,000 Web addresses in the past nine months, 15,000 of them in the month of May alone.

The figures, published Tuesday by researchers from antivirus provider Eset, are the latest indication that an attack on websites running the Internet's most popular Web server continues to build steam. Known as Darkleech, the rogue Apache module gets installed on compromised servers and turns legitimate websites into online mine fields that expose unsuspecting visitors to a host of dangerous exploits. More than 40,000 domains and website IPs have been commandeered since October, 15,000 of which were active at the same time in May, 2013 alone. In just the last week, Eset has detected at least 270 different websites exposing users to attacks.

Sites that come under the spell of Darkleech redirect certain visitors to malicious websites that host attack code spawned by the notorious Blackhole exploit kit. The fee-based package available in underground forums makes it easy for novices to exploit vulnerabilities in browsers and browser plug-ins. Web visitors who haven't installed updates patching those flaws get silently infected with a variety of dangerous malware titles. Among the malware that Darkleech pushes is a "Nymaim" piece of ransomware that demands a $300 payment to unlock encrypted files from a victim's machine. Other malware titles that get installed include Pony Loader and Sirefef.

"This campaign has been going on for a very long time," Eset malware researcher Sébastien Duquette wrote in Tuesday's blog post. "Our data shows that the Blackhole instance has been active for more than two years, since at least February 2011."

Eset's research is consistent with April coverage from Ars reporting that an estimated 20,000 Apache websites were infected by Darkleech in just a few weeks' time. Sites operated by The Los Angeles Times, Seagate, and other reputable companies were among the casualties. Like Ars, Eset found the Web malware employs a detailed array of conditions to determine when to inject malicious links into the pages shown to end users. Among other things, Eset wrote that users will only be attacked when their browser reports they're using Microsoft's Internet Explorer browser or Oracle's Java plugin. Eset's findings are also consistent with recent figures from Google showing that the vast majority of malware attacks are spawned from legitimate sites that have been hacked.

The chosen few

Darkleech has also been known to pass over visitors using IP addresses belonging to security and hosting firms, people who have recently been attacked, and those who don't access the hacked pages from specific search queries. By being highly selective in targeting potential victims, Darkleech developers make it harder for security defenders to unravel the campaign and block infections. Visitors who are selected are served an HTML-based iframe tag in a Web page from the legitimate site that has been compromised. The iframe exploits code from a malicious site under the control of attackers.

Darkleech, which also goes by the name Linux/Charpoy, is able to tailor exploits to the geographic region of the infected victim as well. Ransomware that infects US-based visitors, for instance, purports to come from the FBI, while ransomware hitting people in other countries is adapted accordingly.

In October, Darkleech underwent a makeover that changed the format of the URL in the malicious iframe so it's harder to detect. It works by decrypting four different text strings and then calculating a cryptographic hash to determine if a visitor should be served an iframe. The randomly generated link that leads to the attack site is extremely hard to detect as malicious except for its telltale ending "q.php."

As has been the case with previous investigations, researchers still don't know how the Darkleech module takes initial hold of the sites it infects. Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there's no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software. Darkleech in part uses CPanel and Plesk servers to handle certain aspects of the iframe injection and payload delivery, but other parts rely on the Apache server itself, Pierre-Marc Bureau, Eset's security intelligence program manager, told Ars.

Because there are usually many websites hosted on a single server, there's often multiple domain names pointing to a single IP address, so Eset researchers are unable to determine just how many Apache-powered websites are infected by Darkleech. The total is "probably lower" than the 40,000 estimate, Bureau said.

The Eset report comes two weeks after researchers from security firm Sucuri unearthed a new malicious module infecting Apache servers. They're still not sure if the plug-in is a newer, stealthier version of Darkleech or a completely different tool developed by a rival crime group. Researchers in recent months have uncovered a third piece of malware that causes websites to expose visitors to attacks. Known as Linux/Cdorked, it targets sites running the Apache, nginx, and Lighttpd Web servers and, as of May, had exposed almost 100,000 end-users running Eset software alone to attack.

Only you can prevent Web server hacks

With so many threats successfully targeting mainstream Web servers, administrators should take care to lock down their systems by following good security hygiene. One step is to ensure all default passwords have been changed to a one that's long and randomly generated. Also key is to make sure all software components—including the operating system and all applications—are fully up to date. It's also not a bad idea to use a website security scanner from time to time and to occasionally check the cryptographic hash of the HTTP daemon of the Web server to make sure it hasn't been tampered with.

47 Reader Comments

I wonder how many of these exploits take advantage of servers and CMS platforms that aren't kept up to date.

IME, there are plenty of CMS-based Websites where due to negligence or client ignorance, software is woefully out of date. With more online usage moving to the mobile sphere, it probably will only be a matter of time before more malware like this is targeted at the severs rather than the client devices...

At my repair shop, I have seen an alarming number of these coming in over the past few weeks. The last time I remember such a wide spread malware attack, was when those "fake AV" malware attacks were making their rounds on the web. I still see both, but the frequency seems to have lessened a little.

The biggest problem with the cleanup is that this particular malware usually cripples or totally deletes some important services, by deleting registry entries or removing permissions from them. Stuff like windows update, firewall, defender service, etc..

Microsoft has a version of Security Essentials which you can run on a system via booting from USB so the infection is easier to kill while dormant.

It's nice to have a problem that can't affect my web severs for once. I'm sure someone will release a huge IIS exploit at some point but it's almost like running Mac OS on a desktop, fewer servers to infect than Apache.

This wrecked havoc on my school system website. I feel they had gotten in thru the front-page 2003 extensions but I am not sure. I had to shut down the classroom pages and moved to a new mac server. Hopefully now my code wont be getting injected anytime soon. Fingers crossed.

This wrecked havoc on my school system website. I feel they had gotten in thru the front-page 2003 extensions but I am not sure. I had to shut down the classroom pages and moved to a new mac server. Hopefully now my code wont be getting injected anytime soon. Fingers crossed.

Please, everyone, for the love of $DEITY, even if this isn't true, stop using Frontpage extensions.

The article's reference to the sucuri website scanner is a good tip, and reader comments are also enlightening at times, but I'd like to see more coverage of server-side protections here at Ars Technica. I don't mean just SQL injection stuff and other poor site-coding practices at the script language level, but lower level, deeper anti-virus, malware, and site-scanning technologies, and other mitigation. In this era of the DIY home server and cheap shared hosting services, such things become increasingly important. While that was once pretty much entirely the domain (oh, sorry) of professional webmasters and commercial site operators, it's now moved much closer to the consumer. For the home server, not all consumer-oriented anti-virus/malware scanning programs are appropriate or effective. In fact, few of them may be; vendors typically want more money for server-side protection packages, such as mail server coverage.

Perhaps Dan Goodin and Lee Hutchinson could consider an extension to Lee's great Web Served series, focusing on exactly that: scanning at (and of) the server, how it differs from scanning consumer machines, and what reliable tools and resources are available for The Little Guy.

I just cleaned one yesterday. It was a church secretary who initially panicked when she saw that FBI notice. She called the local cops thinking that someone had been using her computer to actually access these sites. Luckily, the cop she talked to knew it was bogus. I use a Linux based rescue CD to clean these.It takes a while, but is very thorough. Her antivirus was Threatfire (closed down 2 years ago) and no firewall.That has since been remedied. And I recommended changing ALL of her passwords.- She used the same password on most sites.

These are some dark corners of internet mechanics that are being exploited. I mean, despite the malevolence involved, technologically these attacks are super interesting.

The frustrating part is that I don't have a 'dirty' machine yet to confidently Google the aforementioned malware to learn more about them.

As a legitimate question - is a VM sufficient? I don't know of any malware that's capable of realizing it's in a virtual machine; but then again, I don't know much about that space to begin with.

In practice, it's trivial to detect whether the running environment is a VM or not. A few nasty ones have exploited bugs in various VMs to break out into the host.

It's really best that you use an entirely separate physical machine, on an isolated network segment, if you're going to do hands-on research.

The only VM exploits I have been able to find or ever heard of all involve some sort of flaw in a sharing mechanism and not the virtualization.

Example, a VM exploit that took advantage of a host-to-guest VM fileshare that used DMA. Why use a VM DMA file share when you could just use an SMB/NFS file share? Performance I guess, but you best trust that guest if you want to give it DMA access.

If you're going to be poking holes between the host and the guest, expect someone to potentially find an exploit. As for a standard un-trusted guest with no sharing with the host, I haven't yet heard of an exploit.

Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there's no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software.

For the love of Mike, who allows admin access to their web servers from just any old address? Shouldn't the admin be locked to only allow access from on-site/behind a VPN, especially at the larger sites?

At my repair shop, I have seen an alarming number of these coming in over the past few weeks. The last time I remember such a wide spread malware attack, was when those "fake AV" malware attacks were making their rounds on the web. I still see both, but the frequency seems to have lessened a little.

The biggest problem with the cleanup is that this particular malware usually cripples or totally deletes some important services, by deleting registry entries or removing permissions from them. Stuff like windows update, firewall, defender service, etc..

Microsoft has a version of Security Essentials which you can run on a system via booting from USB so the infection is easier to kill while dormant.

Do they make it easy to upgrade the definition portion of that over time? Or does it count on an internet connection to make sure it is up to date before it scans? Just wondering about creating one, but at this time I have no need for it. If it is easy to update the definition portion it is worth doing ahead of time, otherwise it probably will be useless by the time I need it heh.

Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there's no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software.

For the love of Mike, who allows admin access to their web servers from just any old address? Shouldn't the admin be locked to only allow access from on-site/behind a VPN, especially at the larger sites?

Now you know why Windows looks bad. When you try to dumb down everything, you security goes to crap. Now even Linux is looking bad.

Most of the comments here concentrate on trying to repair the servers rather than the clients.

It really is totally unacceptable in this day and age that we have browsers that allow themselves and/or their plugins to be hijacked in this manner. After all, they can't operate unless they're connected to the web! If a flaw exists in a particular version, it should fail to load anything until it has been patched or patched itself. If a flaw is discovered in a plugin, it should not load the plugin. Then, the only attacks that can succeed are true zero-day exploits or attacks against the browser update mechanism itself.

The way that security updates are handled in modern software is just irresponsibly sloppy, someone-else's-problem behavior.

Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there's no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software.

For the love of Mike, who allows admin access to their web servers from just any old address? Shouldn't the admin be locked to only allow access from on-site/behind a VPN, especially at the larger sites?

Now you know why Windows looks bad. When you try to dumb down everything, you security goes to crap. Now even Linux is looking bad.

I doubt this is problem with Linux pre se. It's probably a vulnerability with some 3d party add-on, like a CMS or a remote admin tool. Even the most secure OS can be compromised by bad or default passwords, administrative mistakes or vulnerable 3d party add-ons.

In a properly locked down web server, one would give Apache read-only access to the FS and not let the web server change its own damn config files. Attempting this exploit should just result in a bunch of access violations, which should flag the admin that something is wrong.

Nobody has figured out how they are getting in, but it does not look like they are getting in via the web server. They are getting full root with enough permissions to modify the web server program itself to install stealth modules. The best guess is either stolen admin credentials or some flaw in an administration program that runs with root permissions.

I honestly think that they are getting in via stolen credentials. The group is hosting millions of client attacks and installing many different types of malware. It would be trivial for them to deploy a key logger or other credential stealer to collect server admin logins from machines used by admins. This also explains why none of the researchers can find any bug/flaw that allows the hackers in.

At my repair shop, I have seen an alarming number of these coming in over the past few weeks. The last time I remember such a wide spread malware attack, was when those "fake AV" malware attacks were making their rounds on the web. I still see both, but the frequency seems to have lessened a little.

The biggest problem with the cleanup is that this particular malware usually cripples or totally deletes some important services, by deleting registry entries or removing permissions from them. Stuff like windows update, firewall, defender service, etc..

Microsoft has a version of Security Essentials which you can run on a system via booting from USB so the infection is easier to kill while dormant.

Do they make it easy to upgrade the definition portion of that over time? Or does it count on an internet connection to make sure it is up to date before it scans? Just wondering about creating one, but at this time I have no need for it. If it is easy to update the definition portion it is worth doing ahead of time, otherwise it probably will be useless by the time I need it heh.

It loads the offline scanner in a windows PE environment. If your machine happens to have a common NIC that the PE environment has drivers for, you can update the defs directly before running. If not, you can run the setup from any good machine beforehand, and get an updated copy of the defs. It is a one click operation. I keep 2 small USB keys with the 32 and 64 bit versions installed for quick use.

Most of the comments here concentrate on trying to repair the servers rather than the clients.

I think you've hit the nail on the head. The client shouldn't be able to be exploited by a compromised server. Judging by the attitude of the posts, we've collectively given up on the idea of Windows clients being secure. Not that you can't make a Windows client relatively secure by keeping up on patches, etc., but the average web user's computer is far from as secure as it could be and we've come to take this for granted.

In other words, if a bunch of Windows PC's get compromised, that's not news. If a bunch of Apache servers get compromised, that's news.

Most of the comments here concentrate on trying to repair the servers rather than the clients.

I think you've hit the nail on the head. The client shouldn't be able to be exploited by a compromised server. Judging by the attitude of the posts, we've collectively given up on the idea of Windows clients being secure. Not that you can't make a Windows client relatively secure by keeping up on patches, etc., but the average web user's computer is far from as secure as it could be and we've come to take this for granted.

In other words, if a bunch of Windows PC's get compromised, that's not news. If a bunch of Apache servers get compromised, that's news.

The problem isn't that you can't make a Windows client secure, the problem is that it requires an adequate amount of time, effort and - most importantly - knowledge of how to secure Windows.

The last part isn't made any easier by Microsoft not advertising any of the advanced security features that are included in Windows, or even software they provide that can help prevent 0-day exploits. EMET is a perfect example of software from Microsoft that should be included by default in every single Windows installation but is instead a rarely talked about piece of security software.

A Software Restriction Policy is also another great security aspect that's hidden deep within the Local Group Policy editor. They did add AppLocker in Windows 7 Ultimate/Pro which was supposed to replace an SRP by being easier to manage more advanced whitelist configurations but they freaking dropped it in all Windows 8 editions except the Enterprise version so any private consumer would have had to go back to using the older, less manageable SRP.

Microsoft has made some awesome strides in security since the days of Windows XP, but in some of the more advanced security categories, they seem to be their own worst enemy in simply not getting the word out there of these advanced mechanisms (or worse, removing them).

In other words, if a bunch of Windows PC's get compromised, that's not news. If a bunch of Apache servers get compromised, that's news.

If Windows Clients were as locked down as Windows Server no one would be able to get on the internet. So it goes with the territory one takes the heat for all the clients, and Linux takes the heat for having all those web servers

Speculation has surfaced that the servers are compromised by exploiting undocumented vulnerabilities in the CPanel or Plesk tools administrators used to remotely manage sites, but there's no hard evidence to back up that theory. Researchers also reckon sites may be taken over by cracking administrative passwords or by exploiting security flaws in Linux, Apache, or another piece of commonly used software.

For the love of Mike, who allows admin access to their web servers from just any old address? Shouldn't the admin be locked to only allow access from on-site/behind a VPN, especially at the larger sites?

Now you know why Windows looks bad. When you try to dumb down everything, you security goes to crap. Now even Linux is looking bad.

I doubt this is problem with Linux pre se. It's probably a vulnerability with some 3d party add-on, like a CMS or a remote admin tool. Even the most secure OS can be compromised by bad or default passwords, administrative mistakes or vulnerable 3d party add-ons.

They all fall under the "OpenSource" crowd. People don't look at Windows and say "Wow, the OS is secure but the users are stupid", they just go off on a rant on how windows is bad, yet 95% of Windows "exploits" are just social engineering, and another 4.99% is unpatched systems.

Well, now those stupid features and bad security is coming to your standard OpenSource community site.

All systems are a balance of security and convenience, must trade one for the other.

At my repair shop, I have seen an alarming number of these coming in over the past few weeks. The last time I remember such a wide spread malware attack, was when those "fake AV" malware attacks were making their rounds on the web. I still see both, but the frequency seems to have lessened a little.

The biggest problem with the cleanup is that this particular malware usually cripples or totally deletes some important services, by deleting registry entries or removing permissions from them. Stuff like windows update, firewall, defender service, etc..

Microsoft has a version of Security Essentials which you can run on a system via booting from USB so the infection is easier to kill while dormant.

Do they make it easy to upgrade the definition portion of that over time? Or does it count on an internet connection to make sure it is up to date before it scans? Just wondering about creating one, but at this time I have no need for it. If it is easy to update the definition portion it is worth doing ahead of time, otherwise it probably will be useless by the time I need it heh.

It loads the offline scanner in a windows PE environment. If your machine happens to have a common NIC that the PE environment has drivers for, you can update the defs directly before running. If not, you can run the setup from any good machine beforehand, and get an updated copy of the defs. It is a one click operation. I keep 2 small USB keys with the 32 and 64 bit versions installed for quick use.

These are some dark corners of internet mechanics that are being exploited. I mean, despite the malevolence involved, technologically these attacks are super interesting.

The frustrating part is that I don't have a 'dirty' machine yet to confidently Google the aforementioned malware to learn more about them.

As a legitimate question - is a VM sufficient? I don't know of any malware that's capable of realizing it's in a virtual machine; but then again, I don't know much about that space to begin with.

Well actually if you have it locked down you should be safe, I would not recommend having any shared locations though. No shared folders at all even if they're one way, I'd keep it walled off completely. Far as I know there are no active exploits against the current versions of VMware or VirtualBox. As for your network I cannot say, but I'd connect directly till you find it then completely isolate it from the internet.

These are some dark corners of internet mechanics that are being exploited. I mean, despite the malevolence involved, technologically these attacks are super interesting.

The frustrating part is that I don't have a 'dirty' machine yet to confidently Google the aforementioned malware to learn more about them.

As a legitimate question - is a VM sufficient? I don't know of any malware that's capable of realizing it's in a virtual machine; but then again, I don't know much about that space to begin with.

Well actually if you have it locked down you should be safe, I would not recommend having any shared locations though. No shared folders at all even if they're one way, I'd keep it walled off completely. Far as I know there are no active exploits against the current versions of VMware or VirtualBox. As for your network I cannot say, but I'd connect directly till you find it then completely isolate it from the internet.

Still playing with this shit is like playing with fire.

I have the same thoughts about shared directories (unless Read Only). So if I did download something on a VM I no longer trusted, I would ftp the file out, say with filezilla. The only drawback is the need for storage that understands ftp or an ftp server. But filezilla offers a free ftp server so any network connected computer could serve that task.

These are some dark corners of internet mechanics that are being exploited. I mean, despite the malevolence involved, technologically these attacks are super interesting.

The frustrating part is that I don't have a 'dirty' machine yet to confidently Google the aforementioned malware to learn more about them.

As a legitimate question - is a VM sufficient? I don't know of any malware that's capable of realizing it's in a virtual machine; but then again, I don't know much about that space to begin with.

I would think so.

There is no difference between a VM and a normal instance of the OS other than the device drivers (for virtual devices nach), and I don't think you can get info on these from a browser.

Blackhole and similar exploits use browser only as infection vector - they don't _run_ in the browser, they use known vulnerabilities in browser and plugins to drop and run their body outside the sandbox.

There they can detect that they're running in a VM, but, AFAIK, there are no real break-out-of-VM attacks out there. Smartest thing malware can do after detecting this is don't download the real payload and wipe itself out to make malware researcher's work a bit harder.

This wrecked havoc on my school system website. I feel they had gotten in thru the front-page 2003 extensions but I am not sure. I had to shut down the classroom pages and moved to a new mac server. Hopefully now my code wont be getting injected anytime soon. Fingers crossed.

Please, everyone, for the love of $DEITY, even if this isn't true, stop using Frontpage extensions.

My public facing web server was hacked by the ruskies last week. It is Slackware/Apache 2.4/PHP (1 month old PHP). I don't run Frontpage, phpMyAdmin, drupal, or anything with xmlrpc.php; things for which I see hourly attacks in my logs. I can not figure out how I acquired /tmp/deeeeeeeeeeeead , a perl script which emailed my server info out via "http://asontvdirect.com/Hydroxatone/saver.php?smtp="; telling the bums to establish a pipe to .ru.Fortunately, it ran as httpd and when it tried to get root my system sent me alarm emails. yea.